[PM-31785] Protect Key Connector and Master Key wrapped user key and server side hash (#6953)

* protect keyConnectorWrappedUserKey * protect master key wrapped user key and server side hash
2026-02-11 14:03:24 +00:00 · 2026-02-05 22:33:59 +01:00
parent f244927149
commit 01590529eb
1 changed files with 13 additions and 3 deletions
--- a/src/Infrastructure.Dapper/Repositories/UserRepository.cs
+++ b/src/Infrastructure.Dapper/Repositories/UserRepository.cs
@@ -404,6 +404,9 @@ public class UserRepository : Repository<User, Guid>, IUserRepository

    public UpdateUserData SetKeyConnectorUserKey(Guid userId, string keyConnectorWrappedUserKey)
    {
+        var protectedKeyConnectorWrappedUserKey = string.Concat(Constants.DatabaseFieldProtectedPrefix,
+            _dataProtector.Protect(keyConnectorWrappedUserKey));
+
        return async (connection, transaction) =>
        {
            var timestamp = DateTime.UtcNow;
@@ -413,7 +416,7 @@ public class UserRepository : Repository<User, Guid>, IUserRepository
                new
                {
                    Id = userId,
-                    Key = keyConnectorWrappedUserKey,
+                    Key = protectedKeyConnectorWrappedUserKey,
                    // Key Connector does not use KDF, so we set some defaults
                    Kdf = KdfType.Argon2id,
                    KdfIterations = AuthConstants.ARGON2_ITERATIONS.Default,
@@ -431,6 +434,13 @@ public class UserRepository : Repository<User, Guid>, IUserRepository
    public UpdateUserData SetMasterPassword(Guid userId, MasterPasswordUnlockData masterPasswordUnlockData,
        string serverSideHashedMasterPasswordAuthenticationHash, string? masterPasswordHint)
    {
+        var protectedMasterKeyWrappedUserKey = string.Concat(Constants.DatabaseFieldProtectedPrefix,
+            _dataProtector.Protect(masterPasswordUnlockData.MasterKeyWrappedUserKey));
+
+        var protectedServerSideHashedMasterPasswordAuthenticationHash = string.Concat(
+            Constants.DatabaseFieldProtectedPrefix,
+            _dataProtector.Protect(serverSideHashedMasterPasswordAuthenticationHash));
+
        return async (connection, transaction) =>
        {
            var timestamp = DateTime.UtcNow;
@@ -440,9 +450,9 @@ public class UserRepository : Repository<User, Guid>, IUserRepository
                new
                {
                    Id = userId,
-                    MasterPassword = serverSideHashedMasterPasswordAuthenticationHash,
+                    MasterPassword = protectedServerSideHashedMasterPasswordAuthenticationHash,
                    MasterPasswordHint = masterPasswordHint,
-                    Key = masterPasswordUnlockData.MasterKeyWrappedUserKey,
+                    Key = protectedMasterKeyWrappedUserKey,
                    Kdf = masterPasswordUnlockData.Kdf.KdfType,
                    KdfIterations = masterPasswordUnlockData.Kdf.Iterations,
                    KdfMemory = masterPasswordUnlockData.Kdf.Memory,